If you’re an owner/operator of a power generation facility, or any process deemed “Critical Infrastructure”, then it’s likely that you are falling under NERC-CIP (North American Electric Reliability Corporation – Critical Infrastructure Protection) guidelines and regulations. These standards outline procedures to safeguard assets that are critical to the functioning of society. These are also high value assets that benefit greatly from performance management.
The standards for CIP are rigorous and involve protecting assets from nefarious activities. The first phase of protection is delivered through isolation, the setting up of a security perimeter around your critical asset. Any access to that perimeter must be well understood and well documented. Needless to say, the demands of NERC-CIP can pose significant obstacles to the installation of performance management software, performance dashboards and reporting systems designed to monitor and improve the operation of those assets.
The Dream Report dashboard and report generation software is a commonly used product for performance management and compliance reporting. Dream Report offers several features that are highly beneficial to owner/operators, but these features must be properly integrated into a NERC-CIP environment. The areas of interest include; 1) Dream Report’s ability to access data from your automaton systems for reports and dashboards, 2) Dream Report’s ability to generate report files in the form of PDF and Excel, 3) The ability to email and ftp automatically and the ability to support an interactive Web Portal.
Creating a security perimeter around your critical infrastructure begs the question, “Where should Dream Report be installed, on the inside or outside of that perimeter?” And in either case, how can data safely bridge that secure perimeter?
The answers to these questions depend on who the intended customers of dashboards and reports are. But in either case, you’ll likely be leveraging Data Diode (unidirectional network) technology. A Data Diode is a solution designed to deliver one way data (a Diode function) while also bridging the security perimeter. The intent is to ensure that data is distributed safely, and without the ability to infiltrate this data path for other than intended purposes. In the case of a Data Diode appliance, it typically consists of a pair of computers, one on each side of the perimeter, an isolating technology (such as a Fiber Optic cable) that will only transmit data in one direction, and the use of a non-routable protocol. There are many Data Diode appliances on the market and they offer varying features and capabilities. Most replicate data in various forms; real-time data as in OPC protocol information, files and directory structures, and even email transmissions. NERC-CIP Version 5 recognizes Unidirectional Gateways (Data Diodes). CIP Version 5 provides exemptions from 37 of the standard’s 103 requirements when networks are protected by Unidirectional Gateways. Unidirectional Security Gateways are stronger than firewalls. The gateways integrate control systems with business systems without introducing the vulnerabilities which always accompany firewall deployments. Dream Report will work well with Unidirectional Gateways, in a wide variety of configurations. Leveraging Data Diode features can help you decide where and how to implement a Dream Report solution.
If you install Dream Report with-in your critical infrastructure, then you reap all the Dream Report benefits of portal and data access with-in that environment. But you’ll have to leverage Data Diode technology to transfer files and emails to the external world. You will lack external access to the Dream Report Web Portal, an extremely valuable feature, although the Web Portal can still be used in your critical environment.
If you install Dream Report outside of the Critical Infrastructure, then you’ll have to leverage the Data Diode technology to replicate the raw data for reporting. This can involve the use of Database Replication technology, for example – to replicate a Dream Report SQL Server database image outside of the Critical Infrastructure. By doing that, you can ensure identical reporting, from identical databases on either side of your critical infrastructure perimiter. With Database replication, you’ll reap the full benefits of Dream Report, for your wider audience.
Of course, we would like to see our customers leverage Dream Report on both sides of your security perimeter. In this way, your operations people will benefit from Dream Report operations and performance portals, and through the use of a Data Diode, raw data can be replicated outside the critical area for others to use.
Related Links:
NERC-CIP – http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
Database Replication – http://www.attunity.com
Data Diode Appliance – http://www.owlcti.com/